HestiaCP (1.2.0 - 1.9.4)

HestiaCP versions 1.2.0 through 1.9.4 are vulnerable to IP spoofing (CVE-2026-43634), allowing unauthenticated remote attackers to bypass authentication security controls by manipulating the CF-Connecting-IP HTTP header to circumvent fail2ban, bypass IP allowlists, and poison authentication logs.